Search for packages
| purl | pkg:npm/react-router@7.2.0-pre.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1khb-1639-afhf
Aliases: CVE-2026-21884 GHSA-8v8x-cx79-35w7 |
React Router SSR XSS in ScrollRestoration A XSS vulnerability exists in in React Router's `<ScrollRestoration>` API in [Framework Mode](https://reactrouter.com/start/modes#framework) when using the `getKey`/`storageKey` props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. > [!NOTE] > This does not impact applications if developers have [disabled server-side rendering](https://reactrouter.com/how-to/spa) in Framework Mode, or if they are using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/`<RouterProvider>`). |
Affected by 0 other vulnerabilities. |
|
VCID-2bdv-sysu-ryef
Aliases: CVE-2025-68470 GHSA-9jcx-v3wj-wh4m |
React Router has unexpected external redirect via untrusted paths An attacker-supplied path can be crafted so that when a React Router application navigates to it via `navigate()`, `<Link>`, or `redirect()`, the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code. |
Affected by 3 other vulnerabilities. |
|
VCID-7nah-t7y2-zfcy
Aliases: CVE-2025-59057 GHSA-3cgp-3xvw-98x8 |
React Router has XSS Vulnerability A XSS vulnerability exists in in React Router's `meta()`/`<Meta>` APIs in [Framework Mode](https://reactrouter.com/start/modes#framework) when generating `script:ld+json` tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. > [!NOTE] > This does not impact applications using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/`<RouterProvider>`). |
Affected by 4 other vulnerabilities. |
|
VCID-fvgg-y3kj-wyew
Aliases: CVE-2025-43865 GHSA-cpj6-fhp6-mr6j |
React Router allows pre-render data spoofing on React-Router framework mode ## Summary After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. Latest versions are impacted. ## Details The vulnerable header is `X-React-Router-Prerender-Data`, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is [the vulnerable code](https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87) : <img width="776" alt="Capture d’écran 2025-04-07 à 05 36 58" src="https://github.com/user-attachments/assets/c95b0b33-15ce-4d30-9f5e-b10525dd6ab4" /> To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader. ## Steps to reproduce Versions used for our PoC: - "@react-router/node": "^7.5.0", - "@react-router/serve": "^7.5.0", - "react": "^19.0.0" - "react-dom": "^19.0.0" - "react-router": "^7.5.0" 1. Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation) 2. Add a simple page using a loader (example: `routes/ssr`) 3. Access your page (*which uses the loader*) by suffixing it with `.data`. In our case the page is called `/ssr`:  We access it by adding the suffix `.data` and retrieve the data object, needed for the header:  4. Send your request by adding the `X-React-Router-Prerender-Data` header with the previously retrieved object as its value. You can change any value of your `data` object (do not touch the other values, the latter being necessary for the object to be processed correctly and not throw an error):  As you can see, all values have been changed/overwritten by the values provided via the header. ## Impact The impact is significant, if a cache system is in place, it is possible to poison a response in which all of the data transmitted via a loader would be altered by an attacker allowing him to take control of the content of the page and modify it as he wishes via a cache-poisoning attack. This can lead to several types of attacks including potential stored XSS depending on the context in which the data is injected and/or how the data is used on the client-side. ## Credits - Rachid Allam (zhero;) - Yasser Allam (inzo_) |
Affected by 5 other vulnerabilities. |
|
VCID-hwnh-8gqs-8fgj
Aliases: CVE-2026-22030 GHSA-h5cw-625j-3rxh |
React Router has CSRF issue in Action/Server Action Request Processing React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route `action` handlers in [Framework Mode](https://reactrouter.com/start/modes#framework), or when using React Server Actions in the new unstable RSC modes. > [!NOTE] > This does not impact applications that use [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/`<RouterProvider>`). |
Affected by 0 other vulnerabilities. |
|
VCID-y2ce-z8tu-y7e5
Aliases: CVE-2026-22029 GHSA-2w69-qvjg-hvjx |
React Router vulnerable to XSS via Open Redirects React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in [Framework Mode](https://reactrouter.com/start/modes#framework), [Data Mode](https://reactrouter.com/start/modes#data), or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect. > [!NOTE] > This does not impact applications that use [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`). |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||